Vulnerabilities > Jenkins > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-02 | CVE-2024-47805 | Insufficiently Protected Credentials vulnerability in Jenkins Credentials Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI. | 7.5 |
| 2024-08-07 | CVE-2024-43044 | Improper Check for Unusual or Exceptional Conditions vulnerability in Jenkins Jenkins 2.470 and earlier, LTS 2.452.3 and earlier allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library. | 8.8 |
| 2024-01-24 | CVE-2024-23898 | Origin Validation Error vulnerability in Jenkins Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller. | 8.8 |
| 2024-01-24 | CVE-2024-23904 | Unspecified vulnerability in Jenkins LOG Command Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system. | 7.5 |
| 2023-12-13 | CVE-2023-50764 | Unspecified vulnerability in Jenkins Scriptler Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system. | 8.1 |
| 2023-12-13 | CVE-2023-50766 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Nexus Platform 3.18.003 A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML. | 8.8 |
| 2023-12-13 | CVE-2023-50768 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Nexus Platform 3.18.003 A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. | 8.8 |
| 2023-12-13 | CVE-2023-50774 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Html Resource 1.01/1.02 A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system. | 8.1 |
| 2023-12-13 | CVE-2023-50778 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Paaslane Estimate 1.0.4 A cross-site request forgery (CSRF) vulnerability in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified token. | 8.8 |
| 2023-11-29 | CVE-2023-49655 | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Matlab 2.11.0 A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers to have Jenkins parse an XML file from the Jenkins controller file system. | 8.8 |